oreilly.comSafari Books Online.Conferences.


Security Alerts

Linux Kernel Exploitation

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, Oracle Database Server, Oracle Application Server, DB2 Universal Database, vpopmail, MIT Kerberos 5, cfengine, CDE libDtHelp, Anonymous CVS, Samba, the zlib library, Courier-IMAP, and Python.

The Linux Kernel

A problem in the way the Linux kernel handles 64-bit file offset pointers can, under some conditions, be exploited by an attacker to view portions of kernel memory and gain access to sensitive information, such as the root password. This problem is reported to affect Linux kernel versions 2.4 through 2.4.26 and 2.6 through 2.6.7.

Users should watch their vendors for an updated version of the Linux kernel.

Oracle Database Server and Oracle Application Server

Multiple unspecified security vulnerabilities (including buffer overflows, PL/SQL injection bugs, trigger abuse conditions, character set conversion bugs, and bugs that can be used in a denial-of-service attack) have been reported to affect the Oracle Database Server and the Oracle Application Server. Affected versions include Oracle Database 10g Release 1 Version; Oracle9i Database Server Release 2 versions and; Oracle9i Database Server Release 1, versions,, and 9.0.4; Oracle8i Database Server Release 3, version; Oracle Application Server 10g (9.0.4), versions and,; Oracle9i Application Server Release 2, versions and; and Oracle9i Application Server Release 1, version

It is reported that Oracle released, on August 31, 2004, a set of patches to repair three vulnerabilities and that the patches are available from Oracle's Metalink web site. Users of affected Oracle products should contact Oracle for more information.

DB2 Universal Database

IBM's DB2 Universal Database is reported to be vulnerable to two remotely exploitable buffer overflows. While details have been withheld, a vulnerability of this type often can be exploited to execute arbitrary code with the permissions of the account running the database. Versions of DB2 reported to be affected by this vulnerability are DB2 8.1 Fixpak 6 and older, and DB2 7.x Fixpak 11 and older.

IBM has released Fixpak 7 for DB2 8.1 and Fixpak 12 for DB2 7.x. Affected users are encouraged to upgrade as soon as possible.


A heap corruption bug has been reported in the RSA authentication code of cfservd. This bug, under some circumstances, is exploitable by a remote attacker to execute arbitrary code with root permissions. An additional bug in cfservd may be exploited as part of a denial-of-service attack against cfengine.

Users of cfengine should watch their vendors for an updated package.


vpopmail is used to manage virtual email domains and non-/etc/passwd email accounts on a qmail or Postfix mail server. vpopmail is vulnerable to several SQL injection bugs and, under some conditions, a buffer overflow and a format-string-based bug. These vulnerabilities may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user account running vpopmail.

The developers of vpopmail recommend that users upgrade to the 5.4.6 release or newer as soon as possible.

MIT Kerberos 5

Problems have been discovered in the KDC utility, the ASN.1 decoder library, and the krb5 library code in versions of MIT Kerberos 5 earlier than krb5-1.3.5. Under some conditions, these problems may be exploitable by a remote attacker to execute arbitrary code with (in many cases) root permissions, or used to conduct a denial-of-service attack. At this time, no exploits have been published and the MIT Kerberos 5 development team believes that exploiting these vulnerabilities would be very difficult.

Users of MIT Kerberos 5 should upgrade to krb5-1.3.5 or newer as soon as possible.

CDE libDtHelp

The libDtHelp library distributed with the Common Desktop Environment (CDE) contains a buffer overflow vulnerability that can be exploited by a local attacker to gain root permissions and execute arbitrary commands. The buffer overflow is in the library code that handles the DTHELPSEARCHPATH and DTHELPUSERSEARCHPATH environmental variables. When exploited in a CDE application that is installed set user id root, the attacker will gain root permissions.

Affected users should watch their vendors for a repaired version of the CDE libDtHelp library.

SSHD/Anonymous CVS

Sites allowing anonymous CVS in conjunction with a default install of SSH may be vulnerable to an attack that uses the SSH port-forwarding functionality to bounce unauthorized network traffic (for example, spam) through the server.

It is suggested that any site that allows anonymous connections set AllowTcpForwarding to no in their sshd_config file.


A denial-of-service vulnerability has been announced for all versions of Samba earlier than 3.0.6 and 2.2.11. This vulnerability is caused when a Microsoft Windows XP SP2 client sends a FindNextPrintChangeNotify() request without having first sent a FindFirstPrintChangeNotify().

The Samba developers have released versions 3.0.6 and 2.2.11 of Samba to mitigate this problem.

zlib Library

The zlib library is reported to be vulnerable to a denial-of-service attack in applications linked to the library. The attack is reported to use bugs in the inflate() and inflateBack() functions.

Affected users should watch their vendors for a repaired version of the zlib library.


The Courier-IMAP IMAP email server has a format-string-based vulnerability in its auth_debug() function, when DEBUG_LOGIN is enabled, that can be exploited by a remote attacker to execute arbitrary code with the permissions of the user account running Courier-IMAP.

It is recommended that users upgrade to a repaired version of Courier-IMAP as soon as possible.


A buffer overflow in the Python programming language's DNS handling function getaddrinfo() may be exploitable under some conditions and result in arbitrary code being executed. Python is only vulnerable when IPV6 is disabled.

Users should watch their vendors for a repaired version of Python or upgrade to Python 2.2.2 or newer.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: